Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Two IPSec VPN tunnels on ASA (9.1) with overlapping subnets, accessing the same local subnet

Hi all,

This is my first post, and the first time I've been so stumped that I need to reach out to you wonderful folks. I just can't seem to find any answers to my problem on this forum, or anywhere else. I'm hoping someone can guide me in the right direction.
I have two vendors who connect to my ASA (9.1) over IPSec VPN, who both have IP addresses in the same network. One has the entire 192.168.0.0/22 network in their crypto map, while the other only has a single host in the same network; 192.168.0.156. They both need to access the same local network, but it doesn't seem to be working.
I can't get either vendor to NAT their subnet or IP's on their end, so I have to deal with this on my side.
When configuring the tunnels in ASDM I recieve the warning: "The protected traffic overlaps with that of the connection profile to x.x.x.x. This can cause traffic initiated from the local network, which is intended to go through y.y.y.y, to go through x.x.x.x"
Does anyone know how to get around this? I'm thinking I can maybe NAT the single IP from the one vendor, but I'm not quite sure how to do that, and if it will actually solve anything. I tried a few different things with NAT, but I still can't get it to work. I may be barking up the wrong tree because, based on the error I receive, it looks like the local subnet that they both access is the problem, and not the remote networks themselves. But I could be wrong, because I'm kinda new to this, so I could be out to lunch.
Simply:
192.168.0.0/22 --> 172.17.4.0
192.168.0.156/32 -->172.17.4.0

Can anyone provide any insight?
I can provide any further info if necessary.

Thanks!

 

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

I don't see a way around this

I don't see a way around this without doing NAT of some sort.  If your vendor has a spare public IP that would be easiest.  Otherwise you can NAT to a private IP (you just need to make sure routing is correct on both sides)

 

Ex.

This is assuming that you have to build a VPN tunnel and both internal networks are 192.168.1.X/24.  
Assuming that 40.40.40.2 is an available public IP a similar configuration can be done and 50.50.50.1 is the far side of the VPN tunnel.

interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 40.40.40.1 255.255.255.0

interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0

object network local_host
 host 192.168.1.10

object network local_host_nat
 host 40.40.40.2

access-list vpn extended permit ip host 40.40.40.2 host 50.50.50.2

nat (inside,outside) source static local_host local_host_nat

 

crypto map vpn 10 match address vpn
crypto map vpn 10 set peer 50.50.50.1
crypto map vpn 10 set ikev1 transform-set aes-256-sha

crypto map vpn interface outside
crypto ikev1 enable outside

crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 28800

tunnel-group 50.50.50.1 type ipsec-l2l
tunnel-group 50.50.50.1 ipsec-attributes
 ikev1 pre-shared-key MyKey

 

Thanks,

Kevin

2 REPLIES
New Member

I don't see a way around this

I don't see a way around this without doing NAT of some sort.  If your vendor has a spare public IP that would be easiest.  Otherwise you can NAT to a private IP (you just need to make sure routing is correct on both sides)

 

Ex.

This is assuming that you have to build a VPN tunnel and both internal networks are 192.168.1.X/24.  
Assuming that 40.40.40.2 is an available public IP a similar configuration can be done and 50.50.50.1 is the far side of the VPN tunnel.

interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 40.40.40.1 255.255.255.0

interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0

object network local_host
 host 192.168.1.10

object network local_host_nat
 host 40.40.40.2

access-list vpn extended permit ip host 40.40.40.2 host 50.50.50.2

nat (inside,outside) source static local_host local_host_nat

 

crypto map vpn 10 match address vpn
crypto map vpn 10 set peer 50.50.50.1
crypto map vpn 10 set ikev1 transform-set aes-256-sha

crypto map vpn interface outside
crypto ikev1 enable outside

crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 28800

tunnel-group 50.50.50.1 type ipsec-l2l
tunnel-group 50.50.50.1 ipsec-attributes
 ikev1 pre-shared-key MyKey

 

Thanks,

Kevin

I had the same Popup a while

Thanks for your reply. It helped me a lot when I got the same popup.

 

2676
Views
0
Helpful
2
Replies